CVE-2026-42991: Windows Push Notifications Race Condition Privilege Escalation (CVSS 7.8)
CVE-2026-42991 is a race condition in Windows Push Notifications that allows an authorized local user to escalate their privileges to a higher level of access. The vulnerability requires an attacker who already has login credentials and cannot be exploited remotely. It affects multiple versions of Windows 10, Windows 11, and Windows Server. While the barrier to exploitation is moderate due to timing constraints, the impact is severe—an attacker could gain system-level control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-362, CWE-416
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability is a concurrent execution race condition (CWE-362) with potential use-after-free implications (CWE-416) in the Windows Push Notifications service. The flaw stems from improper synchronization when multiple threads access a shared resource. An authenticated local attacker can manipulate the timing of operations to win a race condition, causing the notification service to reference memory or state that has already been freed or modified. By exploiting this window, the attacker can execute arbitrary code in the context of the system or Local System service, achieving privilege escalation from a user-level account.
Business impact
Privilege escalation vulnerabilities on Windows endpoints pose a direct threat to organizational security posture. An employee or contractor with standard user access could exploit this to gain administrative or system-level privileges, potentially allowing them to install malware, exfiltrate sensitive data, disable security controls, or pivot to other systems on the network. In a corporate environment with thousands of endpoints, this creates a significant lateral movement risk. Desktop and server deployments are equally at risk, making this a broad organizational concern.
Affected systems
The vulnerability affects Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; and Windows Server 2019, 2022, and 2025. Organizations running any of these versions should assume their deployed base is affected unless patches have been applied. The extensive version coverage reflects the age and fundamental nature of the flaw in the notification service.
Exploitability
Exploitation requires local access and valid user credentials—an attacker cannot exploit this remotely over a network. The CVSS score of 7.8 (HIGH) reflects the high impact potential balanced against the requirement for authentication and moderate attack complexity due to race condition timing. The vulnerability is not currently tracked on the CISA Known Exploited Vulnerabilities catalog, suggesting either limited exploitation in the wild or that detection and reporting lag behind disclosure. However, the relatively low barrier to exploit development and the straightforward privilege escalation path make this attractive once proof-of-concept code circulates in security research communities.
Remediation
Apply security updates from Microsoft addressing CVE-2026-42991 across all affected Windows versions. Verify patch availability through the Microsoft Security Update Guide for each specific version in your environment. Given the broad version footprint, prioritize patching production servers (Windows Server 2019, 2022, 2025) first, then systematically update Windows 10 and 11 endpoints. Test patches in a non-production environment to ensure compatibility with critical applications before broad deployment.
Patch guidance
Check the Microsoft Security Update Guide and relevant KB articles for the specific patch versions applicable to your Windows versions. Windows 10 versions 1809, 21H2, and 22H2 may receive updates through different channels—verify whether your deployment receives updates directly or through servicing channels. Windows 11 and Server editions typically receive updates more uniformly. Establish a verification process to confirm patch installation and that the Push Notifications service is functioning correctly post-update.
Detection guidance
Monitor for suspicious activity in the Windows Push Notifications service (WpnService.exe) or related system processes attempting to access or modify memory regions. Look for failed or unusual inter-process communication attempts, unexpected privilege elevation patterns, or system calls associated with memory operations in notification service contexts. Endpoint Detection and Response (EDR) tools should flag process execution chains where a standard user process attempts to spawn a SYSTEM or Local System service process. Windows Event Viewer logs related to service crashes or unexpected terminations may also indicate exploitation attempts.
Why prioritize this
This vulnerability merits high priority due to its HIGH CVSS score, broad impact across consumer and server Windows versions, and the severity of privilege escalation. While it requires local access, insider threats and compromised employee accounts are realistic attack vectors. The presence of improper synchronization flaws in core system services suggests potential for widespread impact if weaponized. Patching should be scheduled within 30 days for general endpoints and within 14 days for servers and sensitive workstations.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects: (1) Local attack vector (AV:L)—requires physical or authenticated local access; (2) High attack complexity (AC:H)—race condition exploitation requires precise timing; (3) Low privileges required (PR:L)—standard user credentials suffice; (4) No user interaction needed; (5) Changed scope (S:C)—impact extends beyond the vulnerable component to system integrity; (6) High confidentiality, integrity, and availability impact (C:H/I:H/A:H)—full system compromise is possible. The score appropriately weights the severity of potential impact against the authentication requirement and exploitation difficulty.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. CVE-2026-42991 requires local access and valid credentials. It cannot be exploited via network connections or by anonymous remote attackers. Remote code execution vulnerabilities are a separate concern.
What if we have Windows Defender or another endpoint protection solution installed?
Endpoint protection is a defense layer but does not patch the underlying vulnerability. Antimalware products can detect some exploitation attempts, but a determined attacker or sophisticated malware may bypass detection. Patching remains essential.
Does this affect domain-joined computers differently than standalone systems?
The vulnerability affects all affected systems equally. However, in domain environments, an attacker gaining local admin via this flaw could compromise domain credentials, potentially affecting your entire Active Directory forest. This amplifies the organizational risk.
Is there a workaround if we cannot patch immediately?
Microsoft has not published a known workaround that eliminates the vulnerability. Mitigations may include restricting local access, monitoring for exploitation attempts, and disabling the Push Notifications service if it is not required for your operations. However, patching is the definitive remediation.
This analysis is based on the CVE record published on 2026-06-09 and modified 2026-06-17. Specific patch version numbers, availability dates, and detailed remediation steps should be verified directly with Microsoft's official security advisories and your organization's patch management system. Exploit code is not provided; this document is for defensive awareness only. Organizations should conduct their own risk assessment and testing before applying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42836HIGHWindows Function Discovery Service Race Condition Privilege Escalation
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42978HIGHWindows Push Notifications Privilege Escalation (CVSS 7.8)
- CVE-2026-42979HIGHWindows Push Notifications Privilege Escalation (Race Condition)
- CVE-2026-45596HIGHWindows AFD Use-After-Free Privilege Escalation Vulnerability
- CVE-2026-45601HIGHWindows AFD WinSock Race Condition Privilege Escalation
- CVE-2026-45603HIGHWindows AFD Race Condition Privilege Escalation Vulnerability